2015-11-25

Home Office meeting re IPBill

Thanks to the Internet Service Provider's Association (ISPA) I got the chance to visit the Home Office yesterday and hear their briefing on the Draft Investigatory Powers Bill and ask lots of questions. There were a number of small ISPs at the meeting. Obviously these are my views as I don't speak for ISPA.

Firstly, as you can imagine, security is pretty tight. There was an X-ray screening, and a two door air-lock entrance thing to get in, and constant escorts, and locking up phones, laptops, and any recording devices on a separate floor before going to the meeting. Obviously I was told to bring photo ID, and as I got to the desk I went to get my driving licence when the receptionist said "Ah, I can see your photo ID" and handed me my visitor's pass and sent me on my way. They even let me keep my pen knife. Yes, I got in on my work's photo ID around my neck, which I printed myself on the work Matica card printer - I could have been anyone!

However, apart from that amusement, things were quite interesting. We asked a lot of questions around data retention - this is one of the main areas of concern for small ISPs as the bill seems to allow an order to retain data that could only be obtained by somewhat expensive deep packet inspection (DPI) equipment. It also does not say we'd get paid for this kit, just that the "contribution" would not be "nil".

What we heard was somewhat "civil servant" waffle, but overall was quite reassuring. They basically said they already have retention orders with the large ISPs under the existing regime, and would expect to serve new orders only on them. They have already discussed with them what they could retain. They even said that an ISP would not be expected to log things for which they don't have the capability, or to log any "third party data", or "over the top services". From what we can tell, the logging of "Internet Connection Records" would come from operators that have web proxies and/or CGNAT equipment. They also said they currently do 100% cost recovery and intend to keep that the same.

Of course, they could not rule anything out. We basically said we need some of that re-assurance on the face of the bill some how (see my written evidence at the end of this post for more details of what I would like). The key points in the bill now are that they do have to consider cost and impact on the ISPs business when making an order, and they do have to consult us first. That should probably rule out doing any DPI stuff on cost grounds. Mind you, after yesterday, I would be surprised if A&A do not have a red flag and "don't go near with a retention order"...

At the start of the briefing the the bill was explained, and we heard a story very similar to Theresa May’s comments along the lines of:-

“Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call”

Now, I am sure this is a well practised speech, used many times before. I am sure the response has been nodding of heads and agreement with how important “Internet connection records” are, obviously.

However, I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.

This seemed to fool them somewhat and they had no real answer - we were not just nodding and agreeing, and that was unexpected :-)

I asked about Data Protection Act Subject Access Requests for retention data, and they don't know.

We asked if DNS logs might be wanted, and they don't know.

I asked about my canary and if the law could compel me to lie - they could not answer that either.

We asked what an "Internet Connection Record" is meant to be, and they confirmed that it is basically down to what they agree with the ISP when they do the consultation before the make a retention order, and will depend on what the ISP can log. We all expressed concern that the bill makes out that an "Internet Connection Record" is a real "thing" and not just some vague term.

I asked about the gagging clause - not allowed to disclose retention orders, and they said the large ISPs asked for that clause, which makes no sense as they could simply choose not to disclose anything.

I asked if the audio content telephone calls to directory enquires counted as "content" and not "communications data" and if so, the content of DNS packets should be treated the same. They were very non committal on that and I wonder if they will be wanting DNS logging. One ISP there outsources DNS to an American company so would have no logs!

I pointed out that if asked to log email I can simply move email to a foreign email service to avoid the hassle. That caught them out - almost like they have never considered that anyone would do that.

Overall - it looks like small ISPs probably have nothing to worry about, but...

We'd like that a lot clearer on the face of the bill

None of this addresses the privacy issues, but I have been invited to working group on that in a few weeks.

There is a call for written evidence - here is what I have submitted (pdf).

P.S. No, I did not see Theresa; No, they did not hypnotise me; No, I have not yet wiped my phone after being in their hands for two hours... yet; Yes, they had coffee and biscuits; No, I don't think Theresa is a goa'uld; No we have never been and are not subject to a retention order; No we have no "black boxes" of any colour.

When I was working on the night shift for an ISP in 1998, we got a policeman at the front door claiming that some teenage girl had threatened suicide in a chat-room, and obviously we would be prepared to give him her account name and address. He was utterly stunned that we wouldn't do this on his say-so. (Fortunately we had a director on call who could say the same thing.)

I wonder if it ever occurred to the policeman that the girl in question may well not even have been in this country, if she even existed in the first place? Did you try explaining that, or just point out he wasn't entitled to the information anyway?

About ten years ago now, I was contacted on MSN Messenger by an "eight year old girl", who mysteriously happened to have the same ISP and location as the old school friend who had just found my rather obscure and unshared MSN username. Funny, that.

I do remember being impressed when I happened to be flying home from the US arriving the morning of 9/11, and some friends from IRC tracked me down and phoned me at home to make sure I was OK.

It sounds like one knowledge gap in drafting the law is the lack of awareness of just how much Internet activity connected devices generate when not being used by a person.

There seems to have been an implicit assumption that Internet use only happens when a human triggers it. This is only true for voice telephony (and even then, becoming less true with robocallers, IVRs and the like), and not true for any data service.

In the case of a teenage girl going missing, I'm puzzled how knowing she /accessed/ Twitter would help in any way whatsoever.She's a teenage girl, *of course* she accessed Twitter - can that not be taken as read?Having access to her feed and being able to read her DMs, yes, I can see that may be helpful, but that's not what the bill is proposing.

Nevertheless, if I was them and given your opposition and small size as an ISP, I would be much more attracted to targeting the wholesale communications providers with the actual networks in the ground - Openreach, TalkTalk and Virgin Media, together with the mobile network providers. Presumably at a wholesale level, they can fairly easily identify which phone line the Internet traffic relates to? This would be much more practical than making requests to every small ISP.

Yes, but they cannot easily produce the "Internet Connection Records" from that - it would be a very expensive project for say Bt Wholesale to DPI the UDP/L2TP/PPP/IP/TCP passing through the wholesale network. My understanding is logs will be coming from retail sides using web proxies and NAT!

The Twitter example is a bit odd. Knowing that her phone accessed twitter is useless, as you point out, but they can easily see if she has *posted* something by just looking at her twitter account, since twitter posts are usually public. The exception to this is if she had set her account to be private, in which case a court order to Twitter would do the job. Posts to twitter will be over HTTPS so the ISP probably can't tell the difference between her phone polling for updates or her posting a message anyway (ok, you may be able to draw weak conclusions on this from the size of the packets, but still).

I think what they are meaning to say is that it would be useful to go on a fishing expedition through her internet traffic to see what she was doing, rather than specifically looking at whether she's used Twitter. This is obviously a completely different thing.

What you *can* tell from traffic monitoring is that there has been some traffic to certain services (e.g. twitter, facebook, instagram, whatever) which then lets the police have some idea about which services they should be sending court orders to to find out what that traffic actually was.

As for ISPs asking for there to be a gagging clause, this makes some sense: an ISP telling their customers that they are helping to spy on them would be bad for business, so the ISP may want to keep this confidential. But if someone leaked to the press that an ISP was spying on their customers and had voluntarily kept quiet about it, that would also be pretty bad for business. the solution: make sure the law says they aren't allowed to tell anyone. If the press found out about them spying, their excuse now appears perfectly reasonable: "we're legally not allowed to tell anyone".

There may be operational reasons for the security services keeping targeted monitoring secret (don't want to tip off the person you're monitoring), but in that case it should be ok to disclose that the monitoring took place some time after the event. I don't see any motivation for the security services keeping this stuff secret forever, other than to avoid public oversight.

And as you've pointed out, the line between "content" and "metadata" is pretty murky! Also worth considering that telco call records are routinely kept by the telco for billing purposes *anyway*, whereas web addresses aren't - the difference being that for the former they mostly just expect the telco to hand over what they were already collecting, whereas for the latter they are requiring the ISP to collect something extra.

Also, isn't this bill being fast tracked? Something so controversial shouldn't be allowed to bypass scrutiny by going through a fast track process.

Well, that would be nice, but the processing to do that on bulk is a problem. We do however already offer obfuscated PPP (disguised IP as LCP) if you have a FireBrick. That may break any such logging, if they do it. It would be great if DPA subject access requests can get the data as that would allow us to find if that worked.

The intelligence services aren't subject to SDA requests. If they were they'd just lie anyway, because they're protected by the government. The reason we don't issue licenses to kill isn't just because this isn't Hollywood, it's also because the government isn't obliged to prosecute murderers. It can choose to simply not prosecute an intelligence agent who kills somebody in the line of duty. In very rare cases the Crown Powers are even used to officially pardon people we know committed grave crimes for the state.

This might seem outrageous until you remember that US Presidents routinely, and with almost no grumbling, use their power of pardon to free people they owe personal favours to.

As the bill requires them to consult with you before making any retention order there seems nothing to legally prevent you from alerting your customers of this fact, before the order is served. Hopefully you would mention it here as soon as you were aware of their intention to "consult".

Was there any discussion about data backups? It's one thing to hold data records but another thing entirely if you have, by law, to be able to provide them at any time. That rather suggest you'll need to backup the data up to some DR site. More cost and complexity. Thanks for keeping us informed of what's going on. I'm still not persuaded that the politicians really get the complexities of what they're asking for.

Tricky. You have to maintain to same level of integrity as system from which data was derived. So if derived from a switch that only holds data in RAM and detected it after a few nanoseconds? Who knows?

- As mobile carriers are using CGNAT and proxies/dpi unless you use VPN on your phone non encrypted traffic likely to generate detailed ICR. As facilitating hacking is now part of the law, I wouldn't be surprised if "additional" trusted root certificate could be added to telco firmware. Checking iOS9 trusted root (https://support.apple.com/en-gb/HT205205) you can find a selection of government issued root that I personally wouldn't particularly trust (like Turkish government one, as iOS9 also block *.google.com generated by the same certificate... sounds like a good MITM candidate...)

- Large ISPs have more resources and as such will be expected to provide more detailed ICR

- Smaller ISPs are less likely to be affected and what will be requested will be negotiated and depends on their resource.

So except if you are a Darwin Award nominated wannabe terrorist looking at "http://www.jihad.org/bomb" on your mobile your are unlikely to be detected (except if you accessed http://www.whereistheparty.com unfortunately hosted on the same IP).

Everything I write here is just my honest opinion and not a statement by my employer, etc, you get the idea. If you find any words or pictures menacing or offensive, or likely to impair your computer, or alarming or distressing, stop reading now and don't come back (and don't forget to block me on social media too). Nothing here is legal advice. Everything on this blog is without prejudice, just in case. Comments are moderated to weed out obvious spam, so do not appear instantly. You take responsibility for any comments you post. Always bookmark www.me.uk as I may change the URL blogger sees.

And please, if you don't like what I post, say so - comment - discuss...